Using encryption is not sufficient to secure communication because the simple fact that communication exists is often enough to raise suspicion and take further actions. Covert channels aim to hide the very existence of communication by using means of communication not normally intended to be used. The huge amount of data and vast number of different protocols in the Internet makes it ideal as a high-bandwidth vehicle for covert channels in network protocols.

The de-facto standard covert channel communication model is the prisoner problem. Two people, Alice and Bob, are thrown into prison and intend to escape. To agree on an escape plan they need to communicate, but Wendy the warden monitors all their messages. If Wendy finds any signs of suspicious messages she will place Alice and Bob into solitary confinement -- making an escape impossible. Alice and Bob must exchange innocuous messages containing hidden information that (hopefully) Wendy will not notice.

We have developed a flexible software framework for empirically evaluating covert channels in network protocols called Covert Channels Evaluation Framework (CCHEF). CCHEF runs under Linux and can be used in real networks with real overt traffic, but can also emulate covert channels using overt traffic from trace files. Usually testing with real traffic is restricted to controlled testbeds where it is almost impossible to generate a realistic traffic mix from a larger number of hosts. Therefore, CCHEF also runs on single hosts emulating covert channels based on overt traffic from trace files.

CCHEF is not designed to be (mis)used for real covert channel communication. Therefore, we have made no attempts to disguise the sender or receiver in any way, illegally acquire superuser priviledges etc. The sender and receiver are normal user space applications. This allows us to focus on the actual covert channel methods (embedding of hidden information in network protocols), prevents possible misuse, and makes porting easier since techniques to hide executables etc. are very operating system dependent.

The central component of CCHEF is the Channel module that interfaces with multiple device modules. Covert data to be send is read from the Covert In device, while received covert data is written to the Covert Out device. The Overt In/Out device taps into a stream of IP packets to be used as carrier for the covert data. At the sender suitable overt packets are intercepted and passed to the Channel module. The Channel module encodes the covert data and passes the modified packet back to the device, which will re-inject it into the network. If an overt packet arrives at the receiver the Channel module decodes any covert information and removes the covert channel (if possible) before re-injecting the packet. (CCHEF also supports passive receivers that uses copies of overt packets and do not delay the actual traffic, if removing the covert channel is not necessary.) The Channel module has various sub-modules responsible for modulation, framing, reliable transport, encryption etc.

Figure 1 shows CCHEF transmitting covert information over a network from Alice (covert sender) to Bob (covert receiver). The figure shows a unidirectional channel but in general channels in CCHEF are bi-directional (depending on the available overt traffic).